scsi security nuts and bolts - snia | advancing storage ... · scsi security nuts and bolts the...

SCSI Security Nuts and Bolts

Ralph Weber, ENDL Texas

Security Nuts and Bolts © 2008 Storage Networking Industry Association. All Rights Reserved. 22

SNIA Legal Notice

The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions:

Any slide or slides used must be reproduced without modificationThe SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations.

This presentation is a project of the SNIA Education Committee.


Abstract

SCSI Security Nuts and BoltsThe SCSI Command Sets are the lingua franca

of computer storage, the language by which computer systems and peripherals communicate to support the storage and retrieval of information -

the lifeblood of any modern business. SCSI has evolved from origins in the early 1980s in small

computers to support modern SANs

that interconnect ten of thousands of peripherals and servers. The latest SCSI standards projects underway in INCITS Technical Committee T10 define the creation of Security Associations, methods of deriving keys & performing strong mutual authentication, per-command security controls supporting multiple levels of protection, support for security protocols defined separately by multiple other standards organizations, and the control and operation of new security features within storage peripherals themselves. This session will cover these new features in detail, and will highlight the new requirements that these features will place on the operation and management of future computer systems

and their storage configurations.


Notice

The authors are NOT attorneys, and nothing in this presentation is intended to be (and should not be) construed as legal advice or opinion. If you need legal advice or a legal opinion, please contact an attorney.The information presented herein represents the authors’

personal opinions and understanding of the issues involved. The author, contributors, presenter, conference host, and SNIA DO NOT

assume any responsibility or liability for

damages arising out of any reliance on or use of this information.


Agenda

50,000' ViewHistory, Terms, Puzzle (some trees –

some forest), etc.

Management ConcernsNuts and BoltsLoose Ends


This History of SCSI (in one slide)

SCSI-2

Parallel BusDisksTapes…

1980 — 1989



SCSI-2

Transports

Parallel BusFibre Channel

Commands

Block (Disks)Stream (Tapes, Printers)

1980 — 1989 1990



SCSI-2

Transports

Parallel BusFibre Channel

Commands

Block (Disks)Stream (Tapes, Printers)

Glue

ArchitectureShared Commands

1980 — 1989 1990



SCSI-2

Transports

SPI-xFCP-xSAS-xSBP-x (Firewire)ADT-x (robotics)iSCSIUSB Bulk Transport

Commands

SBC-x/RBC (Disks)SSC-x (Tapes)SES-x (Enclosures)SMC-x (Media Changers)OSD-x (Object Storage)Optical Card Reader

Architecture (SAM-x)Shared Commands(SPC-x)

1980 — 1989 1990 Today

Key:Developed by T10(www.t10.org)Developed by T10and other groupsDeveloped exclusivelyby other groups


Security Enforcement Points

Transport SecurityAffects all commands

and dataProtection from

Wire tapsHackers on the network

SCSI TransportsUSBSASFibre ChanneliSCSI

Command SecurityAffects one command only

Command dataNot Command itselfNot User data

Protection fromCreative

softwareHackers on the network

Check out SNIA Tutorial:

IP Storage Protocols - iSCSI


Fibre Channel Technologies: Current and Future


Ultimate Security Enforcement Point

End-Point

Command Security Command Security

Transport Security

An End-Point

Uses a Command

That is sent across a Transport

… To another End-Point

End-Point


End-Point Postscript

Warning: The definition of End-Point

is fuzzy.

HBA (Host Bus Adapter)

builders see End-Point

as the HBA


End-Point Postscript

Warning: The definition of End-Point

is fuzzy.

HBA builders see End-Point

as the HBA

Applications see End-Point

as their program


Transport Level Security

Authenticates Hardware (HBAs

& Drive Ports)Hardware-based encryptionEncrypts/Integrity Checks Whole Frames

iSCSIIKE —

Authentication and Key ExchangesIPsec

— Encryption and Integrity CheckingMACSec

— Ethernet Encryption and Integrity Checking

Fibre ChannelFC-SP —

Clones of IKE and IPsec

all in one package


ABCs of Encryption


Command Level Security

Authenticates Builder of the CommandMight authenticate the program image

Software-based encryptionEncrypts/Integrity Checks Only Specific Data

Command Data (as currently defined)

Encrypt a Tape-Data-Encryption key in transit

from Host to Drive

Not User Data

See SPC-4 (SCSI Primary Commands)

and other command standards


Security Toolbox

AuthenticationExample: Driver’s License Check

Integrity CheckingExample: Notarized Copy

EncryptionExample: Pig Latin


Security Jigsaw Puzzle

Several ways to do the same thing (using Tape-Data-Encryption keys as an example)

Transport Level Encryption(Hardware) Encrypt everythingIncluding the Tape-Data-Encryption keys

Command Level EncryptionSetup Security Association (extra commands)(Software) Encrypt just the Tape-Data-Encryption keys


Solving the Security Jigsaw Puzzle

No Right (one size fits all)

AnswerEncrypting everything may be overkill

If (for example) the only family jewel on the link is the Tape-Data-Encryption key

New Site-Specific Customization OpportunitiesWhat to secure ... Where?

Product Manufacturers Will HelpPromote standardsSuggest best product uses


Agenda

50,000' ViewManagement Concerns

Distributing Authentication InfoHow to AuthenticateWhat to AuthenticateWhere to Authenticate

Nuts and BoltsLoose Ends


Distributing the Authentication Info

Security Job One is Always Authentication

Multiple Ways to AuthenticateMultiple Things That Can Be AuthenticatedMultiple Places to Authenticate

Governmental Agencies May Help Make These Choices


Information Security and IT Compliance


Distributing the Authentication Info

Multiple Ways to Authenticate DevicesCertificates (aka Public Key Infrastructure)Shared Secrets (aka passwords)

Multiple Things That Can Be AuthenticatedDevices/PortsUsersPrograms

Multiple Places to AuthenticateIn the End DevicesCentral Security Server (e.g., RADIUS)


How to Authenticate

Multiple Ways to Authenticate DevicesCertificatesShared Secrets (aka passwords)

Certificates Require a Public Key InfrastructureBooks have been written on thisMaybe you already have a PKI

Shared Secrets Must Be EstablishedCentralized Password or Secret Management


What to Authenticate

Multiple Things That Can Be AuthenticatedDevices/PortsUsersPrograms

Affects Where the Authentication Material Must be Distributed too

Softer authentication objects

might be harder to supply with an authentication identity

Standardization for this is in its infancyWhat your gut says is right may not be supported


Where to Authenticate

Multiple Places to AuthenticateIn the End Devices

More Management by Walking Around

Central Security Server (e.g., RADIUS)More Lines-of-Communication Concerns

Well-Designed Security Features Always Give You This Choice


Agenda

50,000' ViewManagement ConcernsNuts and Bolts

Transport Security (not much new)Command Security (very interesting)

Loose Ends


Transport Security

Authenticates Hardware (HBAs

& Drive Ports)

Hardware-based encryption

Encrypts/Integrity Checks Whole Frames


Command Security

New

Commands

New

SAs

(Security Associations) for Command Uses

New

Command-Parameter Data Encryption and/or Integrity Checking

New

Extensions to Commands

New

Capability-Based Security on Commands


Security Commands

SECURITY PROTOCOL IN/OUT Command~225 protocol codes still available for T10 assignment

Five protocols already used by T10IEEE 1667 Host AuthenticationATA Drive LockingSD Card TrustedFlash

(www.sdcard.org)

Six protocols assigned to the Trusted Computing Group (www.trustedcomputinggroup.org)16 Vendor Specific


TCG Trusted Storage Specifications

http://www.sdcard.org/

http://www.trustedcomputinggroup.org/


SECURITY PROTOCOL IN/OUT

Very FlexibleSee list of existing uses

Mostly a Data-Transfer ShellContents Always More Interesting Than Vessel

Widespread Tendency to AbbreviateSPIN

and SPOUT


Command-Based SAs

Setup via a Pair of SPIN/SPOUT ProtocolsDetermine Supported Features (one command)

Create the SA (two or four commands)

Identified by Indices (but with differences from Transport SAs)

Two SAs

per Creation Operation (In and Out)Best fit for SCSI command structure

Index called SAI (Security Association Index) not SPI (Security Parameters Index)

because SPI is the name of the Parallel Bus standardNumerous differences in the details too


Command-Based SAs

SA Pair is Not Qualified by I_T NexusUse Not Limited to One Pair of SCSI DevicesDevice Server Required to Assign a Unique SAI

to Every SA It CreatesHosts Can

Exchange SA Information Out-of-Band andUse SAs

Across Any Port

How useful this will be is yet to be seen


Command Data Encryption

Define an SA to SpecifyType of EncryptionType of Integrity Checking

Use SA to Protect

One or More Fields in Command- Related Data

Encrypt Some DataEncrypt All Data

Ready-to-Use Tools in SPC-4Used by:

Tape-Data-Encryption KeysCapability-Based Command Security Credentials


CDB Extensions

General Mechanism for Adding Chunks of New Data to Every CDB (Command Data Block)

Better than defining hundreds of new CDBs

UsesPer-Command Quality of ServicePer-Command Usage ClassificationCapability-Based Command Security Extensions…


Credential-Based Command Security

Authenticate With Credential ServerMaybe with SA, maybe other mechanism

Request CredentialEncrypt Credential using above mentioned SA

Extend CDB by Adding CredentialSee CDB Extensions in previous slide

Manage Access to a ResourceDefined for Disks, Tapes, and Media Changers


Credential-Based Command Security

Authenticate With Credential ServerMaybe with SA, maybe other mechanism

Request CredentialEncrypt Credential using above mentioned SA

Extend CDB by Adding CredentialSee CDB Extensions in previous slide

Manage Access to a ResourceDefined for Disks, Tapes, and Media Changers

Much Like Standard OSD (Object-based Storage Device)

Security Feature


Agenda

50,000' ViewManagement ConcernsNuts and BoltsLoose Ends


Where Is All This Headed?

The Sky’s the LimitReservations with Authenticated Access RestrictionsNon-Credential Command Security

Some people think Credential-Based Command Security is too complex

Command level SAs

seed Transport level SAs

Work With Your Equipment Vendors to Request Features You Need


Q&A / Feedback

Please send any questions or comments on this presentation to SNIA: [email protected]

Many thanks to the following individuals for their contributions to this tutorial.

-

SNIA Education Committee

Roger Cummings

mailto:[email protected]

scsi security nuts and bolts - snia | advancing storage ... · scsi security nuts and bolts the...

Documents